With the widespread use of the internet to conduct business, online theft attempts have increased as well. As a result, it is vital to develop techniques to secure online transactions. An important problem in this context is one of identifying the computer that has been used to conduct a certain transaction. For example, if a user disputes that he never conducted a certain transaction, it will be useful for the service provider to be able to establish that the transaction under dispute has been conducted using a specific machine that belongs to the user.
Several techniques have been proposed for this problem. One such technique is to employ the difference between the time of the machine used for a transaction and the time of the server, as described by Eisen in U.S. Patent Application 2009/0037213. This approach presumes the server synchronizes its time periodically with accurate time clocks. In addition to the time difference this technique also suggests the use of other personal and non-personal information including the browser ID. This technique assigns different weights to the different entities of information. However, this technique of using time differences has limitations. For example, many service providers, such as banking institutions, are reluctant to employ methods with a probability of rendering false positives, because of the negative impact on legitimate customers. To minimize false positives using the method described by Eisen, the granularity on the time measurement probably has to be on the order of seconds. With default synchronization, the spread of most system clocks is probably no more than one to two minutes. So the number of comparison groups that can effectively be used is on the order of 25 to 50. This makes the time difference method reasonably useful as a risk input item, but not sufficiently precise to qualify as a unique system identifier or machine identity parameter.
Another technique is to store a time-stamped token in a machine. This token could possibly be encrypted, and can be retrieved at any time and used as a part of the fraud evaluation. However, it is easy to steal this token and move it to another machine. Another problem with this approach, or any similar approach dependent upon a cookie or other token stored on the machine, is the machine may block the storage or the cookie or token, rendering the approach ineffective.
Another technique is to download and install software on the machine to collect machine information and system configuration. However, many users and user machines block the installation of software downloads to collect this information. Another problem with this approach is the information collected can provide 50 to 60 properties which provide a level of uniqueness, but does not provide a fully unique identifier to distinguish the machine from another machine similarly or identically configured. The probability of multiple machines being identically configured is significant, for example, due to groups of institutionally purchased and identically specified machines and/or standardized production of computers, PDAs, etc., which further decreases the discrimination and uniqueness provided by this approach.